White House unveils NIST Framework for Improving Critical Infrastructure Cybersecurity

The U.S. government today released a set of standards yesterday that are designed to help companies in industries critical to the nation to defend against cyber threats. The Framework for Improving Critical Infrastructure Cybersecurity, from the National Institute of Standards and Technology NIST, is positioned as a voluntary minimum standard, consisting of three parts (core, profile and tiers), built to assess firms' security, and bring them up to a safer level.

The document, often referred to as the Cybersecurity Framework (CSF) or simply the Framework, was finalized within one year of President Barack Obama issuing an executive order to the National Institute of Standards and Technology (NIST) to create voluntary cybersecurity standards. This was an impressive achievement by NIST says ESET security researcher Stephen Cobb, because the process included a massive amount of input from the private sector. Said Cobb, "NIST solicited written input and conducted a series of CSF workshops around the country, each one attended by hundreds of people."

Andrew Lee, CEO of ESET North America, submitted extensive comments on the Framework in the early stages of the process. Several ESET employees participated in the workshops, with ESET security researcher Cameron Camp attending three of them (local transportation for the workshop held in San Diego was provided by ESET). Both Cobb and Cameron gave NIST high marks for the workshop process which split the attendees into groups for structured discussions and special sessions dedicated to key topics.

In his remarks on the release of the Framework, President Obama noted that it was not the end of the process of improving cybersecurity in critical infrastructure:

"While I believe today's Framework marks a turning point, it's clear that much more work needs to be done to enhance our cybersecurity....I again urge Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties. Meanwhile, my Administration will continue to take action, under existing authorities, to protect our nation from this threat. This voluntary Framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge."

TechCrunch reports that Lisa Monaco, Obama’s counterterrorism advisor said that the document “provides, for lack of a better phrase, a common language to discuss cybersecurity.”

The release of the 39-page document comes after planned cybersecurity laws stalled in Congress. The document attempts to apply basic cybersecurity standards by placing them in the context of business risk, and can be used by organizations, regardless of size. “Cybersecurity risk affects a company’s bottom line,” the report’s authors say, describing the document as a “set of industry standards and best practices to help organizations manage cybersecurity risks."

According to Cobb, the CSF has the potential to help the country improve its cyber security posture, but won't achieve results without strong commitment at the C-level in the private sector. Adds Cobb, "Incentives might help inspire that commitment, a point addressed by Adam Sedgewick, one of those who led the Framework project at NIST, when I spoke to him this morning, just before the official launch."

As reported by Cameron Camp, there has been talk of cyber risk insurance providers using the Framework as a benchmark when determining rates. If a company could show it is conforming with the framework it could potentially buy cyber insurance for less, just as insurance for a dwelling costs less if the building is built to code. However, Cobb says Sedgewick took great pains to point out that the Framework was not intended to be the basis for mandatory standards, a view underlined by the president's uses of the term "voluntary Framework."